Privacy Notice

    1. Controllership
    2. Processing of Personal Data
    3. Basis of Processing
  2. Personal Data We Collect, How We Receive Personal Data, and How We Use Personal Data
  3. Sale and Sharing Personal Data with Third Parties
  4. International Transfers of Personal Data
  5. Other Disclosures of Your Personal Data
  6. ChatBot
  7. Cookies
  8. Data Integrity & Security
  9. Data Retention
    1. Right to Be Informed
    2. Right of Access
    3. Right to Change Your Personal Data
    4. Right to Delete Your Personal Data
    5. Right to Restrict Processing
    6. Right to Object
    7. Right to Port or Move Your Personal Data
    8. Right Not to be Subjected to Automated Decision-Making
    9. Right to Withdraw Your Consent
    10. Right Not to Be Discriminated Against for Exercising Your Privacy Rights
    11. Right to Lodge a Complaint with a Supervisory Authority
    12. How Can You Exercise Your Privacy Rights?
    13. What are Authorized Agents?
    14. How We Will Verify Your Identity
    15. How and When We Will Respond to Your Requests
  11. Privacy of Children
  12. Changes to this Notice
  13. Contact Us
  14. European Union Representative

EVERSANA Privacy Notice

Effective on: October 21, 2025

Introduction and Scope

EVERSANA (“EVERSANA”, “we”, “us”, “our”) takes the protection of personally identifiable information (also referred to as “Personal Data”) very seriously. We apply the globally recognized, core principles of data protection throughout our programs and services. Those principles include Lawfulness, Fairness and Transparency, Purpose Limitation, Data Minimization, Accuracy, Storage Limitation, Integrity & Confidentiality, Individual Rights and Accountability. In short, we only collect and process the Personal Data that we need for a specific purpose, we inform you of our practices and your rights, obtain your consent when necessary, protect your data with technical and operational measures, and only keep your data for as long as necessary or for as long as the laws allow. This Privacy Notice (the “Notice”) addresses Personal Data we may receive through our public website(s) and the other information systems we use to market and sell our services.

Please read this Notice to learn what EVERSANA is doing with your Personal Data, how we protect it, and the privacy rights you may have under data protection legislation which applies to our products and services including, but not limited to, the General Data Protection Regulation (“GDPR”), the United Kingdom’s General Data Protection Regulation (“UK GDPR”), the California Consumer Privacy Act of 2018 (“CCPA”) and other US state privacy laws, as well as the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”) (collectively, “Applicable Laws”).

This Notice does not apply to Personal Data we collect by other means, such as Personal Data of clinical trial participants or, the Personal Data of our employees.

Notice applies to all individuals whose Personal Data we process. References to “you” or “your” in this Notice include:

  • Website visitors who browse or interact with our online content;
  • Customers or business partners who use our services or communicate with us;
  • Patients and caregivers who participate in our patient-support or clinical programs;
  • Healthcare professionals engaged in those programs; and
  • Employees, contractors, and applicants, where applicable.

If specific sections of this Notice apply only to certain groups, we will identify those sections clearly.

Controllership

Within the scope of this Notice, EVERSANA acts as a data controller over Personal Data we process because we determine the purposes and means of processing Personal Data via our website and sales & marketing systems. EVERSANA acts as a “data processor” or “service provider,” when processing Personal Data for our customers and such processing is governed by applicable law and our customer contracts.

Processing of Personal Data

Depending on whether you are a current or prospective customer, a website visitor, or a current or prospective business partner (for example, a supplier), we may process various types of Personal Data, as described below. The table shows how and why we collect Personal Data and the categories of third parties with whom we share Personal Data.

Personal Data in the context of this Notice means any information that identifies, relates to, or can be reasonably linked to an individual.

Personal Data includes sensitive Personal Data (also referred to as Special Categories of Personal Data and includes information defined by the Health Insurance Portability and Accountability Act (HIPAA) as protected health information (PHI)). Special Categories of Personal Data include information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health information, or data concerning a person’s sex life or sexual orientation. EVERSANA will first obtain your Consent for processing these categories of information.

Basis of Processing

We may process your Personal Data based on:

  • the need to perform a contract or to take preliminary steps before entering into a contract. If we process your Personal Data to perform a contract it is because your data is necessary. Without it, we cannot provide the requested services
  • our legitimate interests, such as our interest in marketing and selling our services;
  • the need to comply with the law; or
  • any other ground, as required or permitted by law.

Personal Data We Collect, How We Receive Personal Data, and How We Use Personal Data

The following table summarizes, in accordance with applicable law, the categories of Personal Information we collected in the last twelve months and how we use and disclose them. Many of the categories are not collected in every situation, and some of the Personal Data is only collected at the direction of our customers.

Personal Data We Collect, How We Receive Personal Data, and How We Use Personal Data
Category of Personal Information Examples of Data Elements Sources of Information How We Use Your Personal Data
A. Identifiers Name, alias, postal address, email address, telephone number, online identifiers (e.g., IP address, device ID), or similar identifiers Directly from you (web forms, event registrations, email), indirectly through cookies or analytics tools, referrals, publicly available sources (i.e., social media), or purchased business-contact lists We may process your Personal Date for the purposes of:

  • Marketing and selling our services to you
  • Enabling the use of our services
  • Responding to your requests or questions
  • Sending you email marketing communications about our business which we think may interest you
B. Customer Record Information Name, address, email, telephone number, employer, and job title Directly from you or your employer, business partners, trade shows We may process your Personal Date for the purposes of:

  • Marketing and selling our services to you
  • Enabling the use of our services
  • Responding to your requests or questions
  • Sending you email marketing communications about our business which we think may interest you
C. Commercial Information Records or products or services purchased, obtain, or considered From you or your employer We may process your Personal Date for the purposes of:

  • Marketing and selling our services to you
  • Enabling the use of our services
  • Responding to your requests or questions
  • Sending you email marketing communications about our business which we think may interest you
D. Internet or Network Activity Browsing history, search history, session logs, website interactions, cookie identifiers Automatically through cookies, web beacons, pixels, or similar technologies; Chatbot We may process your Personal Date for the purposes of:

  • Marketing and selling our services to you
  • Enabling the use of our services
  • Responding to your requests or questions
  • Sending you email marketing communications about our business which we think may interest you
E. Geolocation Data (approximate) City, state, ZIP code inferred from IP address Automatically via cookies or analytics We may process your Personal Date for the purposes of:

  • Marketing and selling our services to you
  • Enabling the use of our services
  • Responding to your requests or questions
  • Sending you email marketing communications about our business which we think may interest you
G. Professional or Employment-Related Information Job title, employer name, business email, work phone Directly from you, your employer or publicly available professional profiles We may process your Personal Date for the purposes of:

  • Marketing and selling our services to you
  • Enabling the use of our services
  • Responding to your requests or questions
  • Sending you email marketing communications about our business which we think may interest you
H. Inferences Drawn from Other Information Profiles reflecting preferences or interests in EVERSANA’s products or services Derived internally from analytics and user engagement metrics We may process your Personal Date for the purposes of:

  • Marketing and selling our services to you
  • Enabling the use of our services
  • Responding to your requests or questions
  • Sending you email marketing communications about our business which we think may interest you
I. Sensitive Personal Information (as defined by state or federal law, i.e., CCPA/CPRA, HIPAA) Not collected through the website or sales & marketing systems (no Social Security number, driver’s license, precise geolocation, health, or biometric data) Not Applicable We may process your Personal Date for the purposes of:

  • Marketing and selling our services to you
  • Enabling the use of our services
  • Responding to your requests or questions
  • Sending you email marketing communications about our business which we think may interest you

Sale and Sharing Personal Data with Third Parties

We may share Personal Data with our subsidiaries and affiliates, as well as with our service providers and contractors, who process Personal Data on our behalf, and who agree to use the Personal Data only to assist us in providing support and infrastructure for our sales & marketing systems, providing our services, or as required by law. These third parties are contractually bound to protect your Personal Data and are prohibited from using it for any other purpose.

We or share your Personal Data with third parties for cross-contextual behavioral advertising purposes, as those terms are defined under applicable privacy laws.

International Transfers of Personal Data

Personal Data in the European Economic Area (EEA) is protected by strict data protection laws. However, countries outside of EEA may not necessarily protect your Personal Data in the same way, or in such a way that prevents their courts, law enforcement, and national security authorities from accessing it. Data protection laws in these regions regulate how your Personal Data may be transferred to third parties located in other regions.

Certain countries outside of EEA are recognized as providing an adequate level of data protection.

Other countries located outside the EEA, United Kingdom, or Canada may not have been determined by the European Commission or the United Kingdom to provide an equivalent level of data protection and make not always provide the same level of data protection. When we transfer your Personal Data to these countries, we will make sure appropriate safeguards are in place. These safeguards may include European Commission-approved standard contractual clauses or equivalent clauses approved by the United Kingdom.

Other Disclosures of Your Personal Data

We may disclose your Personal Data to the extent required by law, or if we have a good-faith belief that we need to disclose it to comply with official investigations or legal proceedings (whether initiated by governmental/law enforcement officials, or private parties). We may also disclose your Personal Data if we sell or transfer all or some of our company’s business interests, assets, or both, or in connection with a corporate restructuring. Finally, we may disclose your Personal Data to our subsidiaries or affiliates, but only if necessary for business purposes, as described in the section above.

We reserve the right to use, transfer, sell, and share aggregated, anonymous data for any legal business purpose. Such data does not include any Personal Data. The purposes may include analyzing usage trends or seeking compatible advertisers, sponsors, and customers.

If we must disclose your Personal Data to governmental/law enforcement officials, we may not be able to ensure that those officials will maintain the privacy and security of your Personal Data.

ChatBot

The Chatbot, which appears at the bottom of our website (eversana.com) will collect and process your data with your consent. By interacting with the Chatbot you are providing your consent to the processing of your information.

EVERSANA is the controller of Personal Data processed through the Chatbot. We engage service providers (for example, hosting and analytics providers) who process Chatbot data on our behalf. We engage these service providers under strict controls for data protection embodied in written agreements. The Chatbot collects only the Personal Data which you voluntarily provide, such as your name, email, or business contact details. We do not collect or attempt to collect any sensitive information (e.g., health data, government ID numbers, or financial information). Chatbot data is not used to train models, and no automated decisions or profiling are made through Chatbot interactions. User IP addresses are captured to validate your sessions.

Information obtained by the Chatbot is used only to provide you with information and certain resources. For example, if you are looking for career opportunities, the Chatbot will guide you to the right website page. We minimize Personal Data collection and only ask for the information necessary to help you, per your needs and requests. If you are a patient and land on our website, please note that EVERSANA is not a healthcare provider. Please direct your questions about possible illness or medications to your personal healthcare provider. If you are a business visitor and wish to learn more about our services, the Chatbot will guide you to EVERSANA information based on your interests.

Cookie Policy

A “cookie” is a small text file placed on your device when you visit a website. We may use cookies to provide basic relevant ads, website functionality, authentication (session management), usage analytics (web analytics), and to remember your settings, and generally improve your experience on our websites and services. For detailed information about how we use cookies, please open this link to our Cookie Policy.

We use session and persistent cookies. Session cookies are deleted when you close your browser. Persistent cookies may remain even after you close your browser but always have an expiration date. Most of the cookies placed on your device through our services are first-party cookies, since they are placed directly by us. Other parties, such as Google, may also set their own (third-party) cookies through our services. Please refer to the policies of these third parties to learn more about the way in which they collect and process information about you.

If you would prefer not to accept cookies, you can change the setup of your browser to reject all or some cookies. Note, if you reject certain cookies, you may not be able to use all of our services’ features. For more information, please https://www.aboutcookies.org/.

You may also set your browser to send a Do Not Track (DNT) signal. For more information, please visit https://allaboutdnt.com/. Please note that our services do not have the capability to respond to “Do Not Track” signals received from web browsers.

Data Integrity & Security

We have implemented and will maintain technical, administrative, and physical measures that are reasonably designed to help protect Personal Data from unauthorized processing. This includes unauthorized access, disclosure, alteration, or destruction.

Data Retention

When the purposes of processing are satisfied and no lawful basis for retention remains, we will delete your Personal Data.

EVERSANA has policies for data retention that we enforce based on the type of data and the purposes for retention in compliance with applicable data protection laws.

Your Privacy Rights and Choices

You have specific rights regarding your Personal Data collected and processed by us. Please note that you can only exercise these rights with respect to Personal Data that we process about you when we act as a data controller or as a “business” under the CCPA. This is when EVERSANA decides why and how your Personal Data will be processed, rather than our customers making those decisions.

To exercise your rights with respect to information processed by us on behalf of one of our customers, please read the privacy policies of our customers. If you wish to make your request directly to us, please provide us the name of our customers who submitted your data to us or let us know that you are uncertain about which of our customers submitted your data to us. Because we may only act upon instructions from our customers, we will refer your request to the relevant customer and will support them as needed in responding to your request within a reasonable timeframe.

We may need to confirm your identity in order to process your request. A request can also be made on behalf of your child or ward (who is under the age of 18 years).

In this section, we describe your privacy rights and then we explain how you can exercise your rights:

Right to Be Informed

This right means that you have the right to obtain from us all information regarding our data processing activities that concern you, such as how we collect and use your Personal Data, how long we will keep it, and who it will be shared with, among other things.

We are informing you of how we process your Personal Data with this Privacy Notice.

Right of Access

This means that you may ask for full details of the Personal Data we hold about you.

You have the right to ask us whether we process your Personal Data and if we do you may request a copy of your Personal Data.

First, we will ask you to confirm your identity (or the identity of your authorized agent) who makes a request for access. Once we verify that you are who you claim you are, we can disclose to you:

  • The categories of Personal Data we have collected about you;
  • The categories of sources of the Personal Data we have collected about you;
  • The business and commercial purposes for which we process your Personal Data;
  • The time we expect to hold your data;
  • The categories of third parties with whom we share your Personal Data;
  • The specific pieces of Personal Data we collected about you;
  • If we use legitimate interests as a lawful basis to process your Personal Data, we will explain our rationale to you;
  • The appropriate safeguards for transferring your data to an international destination, if applicable.

The CCPA does not allow us to disclose social security numbers, driver’s license numbers or other government-issued identification numbers, financial account numbers, any health insurance or medical identification numbers, account passwords, or security questions and answers. We can inform you that we have this information generally, but we may not provide the specific numbers, passwords etc. to you for security and legal reasons.

Right to Change Your Personal Data

This is called the “right to rectification”. It gives you the right to ask us to correct, without undue delay, anything that you think is wrong with the Personal Data we have on file about you, and to complete any incomplete Personal Data.

Right to Delete Your Personal Data

This is called the right to erasure, right to deletion or the “right to be forgotten”. This right means you can ask us to delete your Personal Data.

Sometimes we can delete your information, but other times it is just not possible, like when the law tells us we cannot do that.

There are certain occasions where we cannot fulfill a deletion request under Applicable Laws, and may deny your request, such as if we or our service providers need to retain your Personal Data to:

  • Complete the transaction for which we collected your Personal Data;
  • Provide a good or service that you requested, take actions related to that good or service or perform our contract with you;
  • Respond to security incidents;
  • Repair products or service functionalities;
  • Engage in scientific, historical, or statistical research; or
  • Comply with a legal obligation as required by applicable laws.

Right to Restrict Processing

This means you may ask us to only use or store your Personal Data for certain purposes. You have this right in certain occasions, such as where you believe the data is inaccurate or the processing activity is unlawful. This right enables you to ask us to suspend the usage of your Personal Data, for example if you want us to establish its accuracy or the reason for processing it.

Right to Object

This means you may tell us to stop using your Personal Data. You have this right where we rely on a legitimate interest of ours. Also, you have the right to object at any time to the processing of your Personal Data for direct marketing purposes.

We will stop processing the relevant Personal Data unless: (i) we have compelling legitimate grounds for the processing that override your interests, rights, or freedoms; or (ii) we need to continue processing your Personal Data to establish, exercise, or defend a legal claim.

You can exercise this right by clicking on the “unsubscribe” or “opt-out” link in the marketing e-mails that you may receive. We maintain information regarding individuals who have opted-out in order to prevent future communications.

Right to Port or Move Your Personal Data

This is known as the “right to data portability” and enables you to ask for and download Personal Data about you that you have given us or that you have generated by virtue of the use of our services, so that you can:

  • Move it;
  • Copy it;
  • Keep it for yourself; or
  • Transfer it to another organization.

We will provide your Personal Data in a structured, commonly used and machine-readable format.

Right Not to be Subjected to Automated Decision-Making

We may apply data analytics to Personal Data using strict control guidelines. We might study this Personal Data in order to improve our services or your interactions with our company.

However, for decisions that may seriously impact you, you have limited rights to object to automated decision-making, including profiling”. For example, you have the right to opt-out of targeted marketing in our Cookie Preference Center.

Right to Withdraw Your Consent

Where we rely on your consent as the legal basis for processing your Personal Data, you may withdraw your consent at any time. If you withdraw your consent, our use of your Personal Data before you withdraw is still lawful.

If you have given consent for your details to be shared with a third party, and wish to withdraw this consent, you advise you to also contact the relevant third party to change your preferences.

Right Not to Be Discriminated Against for Exercising Your Privacy Rights

We will not discriminate against you for exercising any of your privacy rights under applicable state privacy laws. Unless specifically permitted by law, or your contract with us, we will not:

  • Deny you goods or services;
  • Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties;
  • Provide you a different level or quality of goods or services; or
  • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

Right to Lodge a Complaint with a Supervisory Authority

If we process your Personal Data and you are an EU resident, you may also have the right to lodge a complaint with the relevant data protection regulator. For more information on this point, please visit the site at: https://www.gdprregister.eu/gdpr/dpa-gdpr/.

How Can You Exercise Your Privacy Rights?

To exercise any of the rights described above, please submit a request by either:

EVERSANA
Attn: Privacy Counsel
7045 College Blvd Ste 300
Overland Park, KS 66211-1529
USA

What are Authorized Agents?

You may appoint an authorized agent to exercise your rights on your behalf. You should appoint such agent via written permission or a power of attorney pursuant to state law such as the Probate Code of California or the applicable rules for authorizing somebody else to exercise your rights in your country of residence.

To verify that your authorized agent acts on your behalf, we will ask for this written permission from your agent or for the power of attorney. In case you provided your authorized agent with a written permission, we will require that you also verify your identity.

How We Will Verify Your Identity

To evaluate your privacy rights requests, we need to be sure you are who you claim you are. We will verify your identity by sending you an email requesting that you confirm certain Personal Data that we have in our records.

To carry out the verification, we may ask you for information you provided to us previously, such as your contact number, email address, date of birth, your zip code, or the date that you last received a call/communication from us.

Please note that you may only make a Request to Access or a data portability request twice within a 12-month period.

How and When We Will Respond to Your Requests

We respond to rights requests in compliance with applicable data protection laws. We will confirm receiving your request within ten (10) days, describe our identity verification process, and let you know as when you should expect a response.

We will respond to verifiable rights requests within 45 days of receipt. If we require additional time (up to 90 days total), we will inform you in writing of the reason and extension period.

If we cannot satisfy your request, we will also explain why in our response. For data portability requests, we will choose a format to provide your Personal Data that is readily useable and should allow you to transmit the information from one entity to another entity without difficulty.

We will not charge a fee to process or respond to your verifiable rights request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision, provide you with a cost estimate before completing your request, and offer you the opportunity to modify or withdraw the request.

We will provide at least two free requests per person per year.

Privacy of Children

We do not knowingly collect or process Personal Data from children under the age of 16 without parental consent, or as otherwise permitted by applicable law. If we learn that we have collected Personal Data from a child under the applicable age limit without parental consent, or consent of an authorized representative, we will take steps to delete that information.

Changes to this Notice

If we make any material change to this Notice, we will post the revised Notice to this web page. We will also update the “Effective” date. By continuing to use our services after we post any of these changes, you accept the Notice as amended.

Contact Us

If you have any questions about this Notice or our processing of your Personal Data, please write to us by email at [email protected]. Please allow up to four weeks for us to reply.

European Union Representative

We have appointed VeraSafe as our representative in the EU for data protection matters. While you may also contact us, VeraSafe can be contacted on matters related to the processing of Personal Data. To contact VeraSafe, please use this contact form: https://www.verasafe.com/privacy-services/contact-article-27-representative/ or via telephone at: +420 228 881 031.

Alternatively, VeraSafe can be contacted at:

VeraSafe Ireland Ltd
Unit 3D North Point House
New Mallow Road
Cork T23AT2P
Ireland		 VeraSafe Czech Republic s.r.o.
Klimentská 46
Prague 1
11002
Czech Republic		 VeraSafe Netherlands BV
Keizersgracht 555
1017 DR Amsterdam
Netherlands